README
¶
sub2api-pluginsign
Ed25519 签名和验证库,用于 sub2api 插件市场的插件完整性验证。
功能特性
- ✅ Ed25519 签名生成和验证
- ✅ 插件 manifest 和 checksums 签名
- ✅ 信任密钥存储管理(TrustStore)
- ✅ 密钥吊销检查
- ✅ 运行时兼容性验证
- ✅ SHA256 checksum 验证
安装
go get github.com/IanShaw027/sub2api-pluginsign@latest
快速开始
签名生成
package main
import (
"github.com/IanShaw027/sub2api-pluginsign"
)
func main() {
// 生成密钥对
kp, _ := pluginsign.GenerateKeyPair("my-key-1")
// 创建 manifest
manifest := pluginsign.Manifest{
ID: "example.plugin",
Version: "1.0.0",
Runtime: "wasm",
PluginAPIVersion: "1.0.0",
SHA256: "abc123...",
Compatibility: pluginsign.Compatibility{
MinPluginAPIVersion: "1.0.0",
MaxPluginAPIVersion: "1.9.0",
},
}
// 签名
checksums := map[string]string{
"plugin.wasm": "abc123...",
}
signature, _ := kp.SignManifest(manifest, checksums)
}
签名验证
// 加载信任存储
store, _ := pluginsign.LoadTrustStoreFromFiles(pluginsign.TrustStoreFileSet{
OfficialKeysPath: "official_keys.json",
CommunityKeysPath: "community_keys.json",
RevokedKeysPath: "revoked_keys.json",
})
// 验证安装
err := pluginsign.VerifyInstall(pluginsign.VerifyInstallRequest{
Manifest: manifest,
Checksums: checksums,
ArtifactBytes: wasmBytes,
Signature: signature,
KeyID: "my-key-1",
HostRuntime: "wasm",
HostPluginAPIVersion: "1.5.0",
TrustStore: store,
})
密钥文件格式
公钥文件
{
"keys": [
{
"key_id": "official-key-1",
"public_key": "BASE64_ENCODED_PUBLIC_KEY"
}
]
}
吊销列表
{
"revoked_key_ids": ["revoked-key-1", "revoked-key-2"]
}
验证流程
- 验证 manifest 字段完整性
- 检查运行时兼容性
- 验证工件 SHA256 checksum
- 验证 Ed25519 签名
- 检查密钥是否被吊销
错误码
| 错误码 | 说明 |
|---|---|
invalid_manifest |
Manifest 格式无效 |
checksum_mismatch |
工件被篡改 |
invalid_signature |
签名无效 |
revoked_key |
密钥已被吊销 |
unknown_key |
未知的密钥 ID |
incompatible_runtime |
运行时不兼容 |
测试
go test -v ./...
go test -cover ./...
许可证
MIT License
相关项目
- sub2api - 主项目
- sub2api-plugin-market - 插件市场
Documentation
¶
Index ¶
- Constants
- Variables
- func BuildCanonicalPayload(manifest Manifest, checksums map[string]string) ([]byte, error)
- func MapVerificationErrorCode(err error) string
- func ValidateManifest(manifest Manifest) error
- func VerifyEd25519Signature(payload, signature []byte, publicKey ed25519.PublicKey) error
- func VerifyInstall(req VerifyInstallRequest) error
- func VerifySHA256(content []byte, expectedSHA256 string) error
- type Compatibility
- type KeyPair
- func (kp *KeyPair) ExportPrivateKeyBase64() string
- func (kp *KeyPair) ExportPublicKeyBase64() string
- func (kp *KeyPair) SavePrivateKeyJSON(path string) error
- func (kp *KeyPair) SavePublicKeyJSON(path string) error
- func (kp *KeyPair) Sign(payload []byte) ([]byte, error)
- func (kp *KeyPair) SignManifest(manifest Manifest, checksums map[string]string) ([]byte, error)
- type Manifest
- type TrustStore
- type TrustStoreFileSet
- type VerifyInstallRequest
Constants ¶
View Source
const ( VerificationErrorCodeInvalidManifest = "invalid_manifest" VerificationErrorCodeInvalidManifestID = "invalid_manifest_id" VerificationErrorCodeInvalidManifestVersion = "invalid_manifest_version" VerificationErrorCodeInvalidRuntime = "invalid_runtime" VerificationErrorCodeInvalidPluginAPIVersion = "invalid_plugin_api_version" VerificationErrorCodeInvalidCompatibility = "invalid_compatibility" VerificationErrorCodeInvalidChecksum = "invalid_checksum" VerificationErrorCodeChecksumMismatch = "checksum_mismatch" VerificationErrorCodeInvalidPublicKey = "invalid_public_key" VerificationErrorCodeInvalidSignature = "invalid_signature" VerificationErrorCodeUnknownKey = "unknown_key" VerificationErrorCodeRevokedKey = "revoked_key" VerificationErrorCodeInvalidKeyID = "invalid_key_id" VerificationErrorCodeIncompatibleRuntime = "incompatible_runtime" VerificationErrorCodeIncompatiblePluginAPIVersion = "incompatible_plugin_api_version" VerificationErrorCodeInvalidTrustStore = "invalid_trust_store" VerificationErrorCodeUnknown = "unknown" )
Variables ¶
View Source
var ( ErrInvalidManifest = errors.New("invalid manifest") ErrInvalidManifestID = errors.New("invalid manifest id") ErrInvalidManifestVersion = errors.New("invalid manifest version") ErrInvalidRuntime = errors.New("invalid runtime") ErrInvalidPluginAPIVersion = errors.New("invalid plugin api version") ErrInvalidCompatibility = errors.New("invalid compatibility") ErrInvalidChecksum = errors.New("invalid checksum") ErrChecksumMismatch = errors.New("checksum mismatch") ErrInvalidPublicKey = errors.New("invalid public key") ErrInvalidSignature = errors.New("invalid signature") ErrUnknownKey = errors.New("unknown trusted key") ErrRevokedKey = errors.New("revoked key") ErrInvalidKeyID = errors.New("invalid key id") ErrIncompatibleRuntime = errors.New("incompatible runtime") ErrIncompatiblePluginAPIVersion = errors.New("incompatible plugin api version") ErrInvalidTrustStore = errors.New("invalid trust store") )
View Source
var ( // ErrTrustStorePathRequired 表示 trust store 文件路径为空。 ErrTrustStorePathRequired = errors.New("trust store path is required") // ErrTrustStoreReadFailed 表示读取 trust store 文件失败。 ErrTrustStoreReadFailed = errors.New("read trust store file failed") // ErrTrustStoreDecodeFailed 表示解析 trust store 文件失败。 ErrTrustStoreDecodeFailed = errors.New("decode trust store file failed") )
View Source
var ( // ErrInvalidPrivateKey 表示私钥格式无效。 ErrInvalidPrivateKey = errors.New("invalid private key") )
Functions ¶
func BuildCanonicalPayload ¶
BuildCanonicalPayload 组装可签名的 canonical payload: 1) canonical manifest JSON 2) 按路径排序后的 checksums
func MapVerificationErrorCode ¶
MapVerificationErrorCode 将校验错误映射为稳定字符串错误码。
func ValidateManifest ¶
ValidateManifest 对最小字段进行基础校验。
func VerifyEd25519Signature ¶
VerifyEd25519Signature 验证 Ed25519 签名。
func VerifyInstall ¶
func VerifyInstall(req VerifyInstallRequest) error
VerifyInstall 执行安装校验流水线: 1) 字段校验 2) host 兼容性校验 3) 工件 checksum 校验 4) manifest+checksums payload 验签
func VerifySHA256 ¶
VerifySHA256 校验数据摘要与期望值是否一致。
Types ¶
type Compatibility ¶
type Compatibility struct {
MinPluginAPIVersion string `json:"min_plugin_api_version"`
MaxPluginAPIVersion string `json:"max_plugin_api_version"`
}
Compatibility 描述可接受的插件 API 版本范围。
type KeyPair ¶
type KeyPair struct {
KeyID string
PublicKey ed25519.PublicKey
PrivateKey ed25519.PrivateKey
}
KeyPair 表示 Ed25519 密钥对。
func GenerateKeyPair ¶
GenerateKeyPair 生成新的 Ed25519 密钥对。
func LoadPrivateKeyFromJSON ¶
LoadPrivateKeyFromJSON 从 JSON 文件加载私钥。
func (*KeyPair) ExportPrivateKeyBase64 ¶
ExportPrivateKeyBase64 导出 Base64 编码的私钥。
func (*KeyPair) ExportPublicKeyBase64 ¶
ExportPublicKeyBase64 导出 Base64 编码的公钥。
func (*KeyPair) SavePrivateKeyJSON ¶
SavePrivateKeyJSON 将私钥保存为 JSON 格式(仅用于开发/测试)。
func (*KeyPair) SavePublicKeyJSON ¶
SavePublicKeyJSON 将公钥保存为 JSON 格式。
type Manifest ¶
type Manifest struct {
ID string `json:"id"`
Version string `json:"version"`
Runtime string `json:"runtime"`
PluginAPIVersion string `json:"plugin_api_version"`
SHA256 string `json:"sha256"`
Compatibility Compatibility `json:"compatibility"`
}
Manifest 描述插件工件签名需要的基础元数据。
func (Manifest) CheckHostCompatibility ¶
CheckHostCompatibility 校验插件是否能在目标 host 环境运行。
type TrustStore ¶
type TrustStore struct {
// contains filtered or unexported fields
}
TrustStore 维护受信任 key 与吊销 key 的内存状态。
func LoadTrustStoreFromFiles ¶
func LoadTrustStoreFromFiles(paths TrustStoreFileSet) (*TrustStore, error)
LoadTrustStoreFromFiles 从 official/community/revoked 文件构建 TrustStore。
支持 JSON 结构:
{
"keys": [
{"key_id":"official-key-1","public_key":"BASE64_ED25519_PUBLIC_KEY"}
]
}
func NewTrustStore ¶
func NewTrustStore() *TrustStore
func (*TrustStore) AddTrustedKey ¶
func (s *TrustStore) AddTrustedKey(keyID string, publicKey ed25519.PublicKey) error
func (*TrustStore) IsRevoked ¶
func (s *TrustStore) IsRevoked(keyID string) bool
func (*TrustStore) RevokeKey ¶
func (s *TrustStore) RevokeKey(keyID string)
func (*TrustStore) VerifySignature ¶
func (s *TrustStore) VerifySignature(keyID string, payload, signature []byte) error
type TrustStoreFileSet ¶
type TrustStoreFileSet struct {
OfficialKeysPath string
CommunityKeysPath string
RevokedKeysPath string
}
TrustStoreFileSet 定义 trust store 读取所需文件路径。
约定: 1. OfficialKeysPath 与 CommunityKeysPath 使用相同 JSON 结构; 2. RevokedKeysPath 可选,未提供时不加载吊销列表。
Source Files
Click to show internal directories.
Click to hide internal directories.